[PATCH v3 2/2] binman: add fast authentication method for i.MX8M signing
Simon Glass
sjg at chromium.org
Mon Sep 30 20:52:16 CEST 2024
Hi Brian,
On Mon, 30 Sept 2024 at 10:10, Brian Ruley <brian.ruley at gehealthcare.com> wrote:
>
> Using the PKI tree with SRKs as intermediate CA isn't necessary or even
> desirable in some situations (boot time, for example). Add the possibility
spelling
> to use the "fast authentication" method where the image and CSF are both
> signed using the SRK [1, p.63].
>
> [1] https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf
>
> Signed-off-by: Brian Ruley <brian.ruley at gehealthcare.com>
> Cc: Marek Vasut <marex at denx.de>
>
> tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++++++----
> 1 file changed, 19 insertions(+), 4 deletions(-)
That should be below the --- (you can use patman to get this right
automatically)
> ---
> tools/binman/etype/nxp_imx8mcst.py | 44 ++++++++++++++++++++++--------
> 1 file changed, 32 insertions(+), 12 deletions(-)
>
> diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
> index 0c744a00d7..a80cb94499 100644
> --- a/tools/binman/etype/nxp_imx8mcst.py
> +++ b/tools/binman/etype/nxp_imx8mcst.py
> @@ -36,6 +36,9 @@ csf_config_template = '''
> File = "SRK_1_2_3_4_table.bin"
> Source index = 0
>
> +[Install NOCAK]
> + File = "SRK1_sha256_4096_65537_v3_usr_crt.pem"
> +
> [Install CSFK]
> File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
Since 'sha256_4096_65537_v3_usr_crt.' is common to everything, could
you have a variable, say keyname, and use that everywhere?
>
> @@ -74,16 +77,25 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
> self._node, 'nxp,srk-table',
> 'SRK_1_2_3_4_table.bin'
> ))
> - self.csf_crt = os.getenv(
> - 'CSF_KEY', fdt_util.GetString(
> - self._node, 'nxp,csf-crt',
> - 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'
> - ))
> - self.img_crt = os.getenv(
> - 'IMG_KEY', fdt_util.GetString(
> - self._node, 'nxp,img-crt',
> - 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'
> - ))
> + self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
> + if not self.fast_auth:
> + self.csf_crt = os.getenv(
> + 'CSF_KEY', fdt_util.GetString(
> + self._node, 'nxp,csf-crt',
> + 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'
e.g. f'CSF1_1_{keyname}'
> + ))
> + self.img_crt = os.getenv(
> + 'IMG_KEY', fdt_util.GetString(
> + self._node, 'nxp,img-crt',
> + 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'
> + ))
> + else:
> + self.srk_crt = os.getenv(
> + 'SRK_KEY', fdt_util.GetString(
> + self._node, 'nxp,srk-crt',
> + 'SRK1_sha256_4096_65537_v3_usr_crt.pem'
> + ))
All three options seem to read the 'nxp,srk-crt' property, so you can
do that once the if() to reduce the amount of duplicated code.
> +
> self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
> self.ReadEntries()
>
> @@ -137,8 +149,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
> # Load configuration template and modify keys of interest
> config.read_string(csf_config_template)
> config['Install SRK']['File'] = '"' + self.srk_table + '"'
This is what I mean by the f-string:
f'"{self.srk_table}"'
> - config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> - config['Install Key']['File'] = '"' + self.img_crt + '"'
> + if not self.fast_auth:
> + config.remove_section('Install NOCAK')
> + config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> + config['Install Key']['File'] = '"' + self.img_crt + '"'
> + else:
> + config.remove_section('Install CSFK')
> + config.remove_section('Install Key')
> + config['Install NOCAK']['File'] = '"' + self.srk_crt + '"'
> + config['Authenticate Data']['Verification index'] = '0'
> +
> config['Authenticate Data']['Blocks'] = (hex(signbase) + ' 0 '
> + hex(len(data)) + ' "'
> + str(output_dname) + '"')
Can use f-strings here too, e.g.
f'{signbase:#x} 0 {len(data):#x} ...
> --
> 2.39.5
>
Regards,
Simon
More information about the U-Boot
mailing list